Complete Asset Tag List:

As stated previously, I highly recommend that all asset tags begin with it's associated preface (ie: "OS:", "Type:", "AWS:", "SW:", "Reg:", etc.) These are vital for many reason including creating metrics in dashboards by filtering results based on your type of asset tags.

Asset Informational Tags:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Tags assets that have one or more of the QIDs listed and also scanned within the last "___" days. You will need to change the value for "DAYS" to match your scanning cycle. For example, if the longest time between scans on a single asset is 14 days, then I would suggest changing the value to 15 days. A scan means any type of vulnerability scan or a Light Inventory scan. MAP scans do not apply asset tags. This tag can be used when targeting assets for scanning. Run a Light Inventory Scan on group of assets to have this tag

// Count number of lines.int num =(results =~/(?m)$/).size()// Some results do not start with Interface details.if(results.startsWith("#table cols")) num--// Test.if(num >= lineMinimum)// QID results has at least lineMinimum.returntrue;// QID results has less than lineMinimum.returnfalse;

Tags assets with multiple IPs. This is accomplished by querying an asset to see if QID 45099 ("Interface Names and Assigned IP Address Enumerated from Registry") is found on a host. It then counts the number of lines found. If it exceeds the minimum of 2 lines, then this asset has more than 1 NIC/IP and therefore the asset tag is applied.

This tag will identify assets where during a PCI scan, the scanner detected that an Active Protection System (IPS, WAF, Firewall, NGF, etc.) is blocking, filtering, dropping or modifying network packets from a PCI Certified Scan.

If this Tag is present on any asset that is targeted for PCI scans, you need to investigate what the issue may be associated with the host.

Check the results field of this QID on a host for more information. Typically, the results field will say where it noticed the potential interference.

Scan Time (>30m)

Groovy Scriptlet

// Skip testing on non-VM hosts.if(asset.getAssetType()!=Asset.AssetType.HOST)returnfalse;// Tag if scan time for host takes longer than threshold_minutes minutes.threshold_minutes =30host_scan_time = asset.resultsForQid(45038L);// return false if the asset doesn't have QID 45038// or the results for some reason is not the expected lengthif(host_scan_time ==null|| host_scan_time.length()<=16)returnfalse;// Parse for duration. host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));// Convert number of seconds to integerhost_scan_time = host_scan_time.toInteger();return host_scan_time >(threshold_minutes*60);

Tags assets where the total scan time exceeds 30 minutes. This timeframe can be modified by changing the numeric value in Line 4.

This tag is assigned to assets that have not been scanned within the last 90 days and that have not be created (or first found) within the last 90 days. This tag is great for identifying assets that need to be purged. The values for "DAYS" should be adjusted to meet your requirements.

The reason why I've included the "First Found Date" is because of AWS assets that are created using the AWS Connectors. They are created within Qualys once they're spun up and the Qualys Connector API retrieves an inventory of an account from AWS. Without the "First Found Date" criteria, any new asset created in Qualys through the AWS Connector would be marked as a "Stale Asset" since it has never been scanned before.

Sticky Keys Enabled

Vuln(QID) Exist

QID= 124403

Web Server Stopped Responding

Vuln(QID) Exist

QID= 86476

This QID is present on any host where during a scan, the web server stopped responding to 3 consecutive connection attempts and/or more than 3 consecutive HTTP / HTTPS requests.

This is a great QID to identify assets that may be falling victim to scan intensity settings within the Option Profile of a scan. Assets with this QID may require a tuned Option Profile that has the parallel HTTP processes and packet burst lowered to a more suitable level that the web server can handle.

Check the QID results field on the asset for more information around what occurred during the scan.

Asset Type:

*NOTE: Be sure to check the boxes "Re-Evaluate rule on save" and "Ignore Case" (for any RegEx rule engine tags) in the Tag Rule tab for each tag you create!

Asset Tag Name

Rule Engine

Logic

Asset Tag Description/Note

Type: Cisco ASA

Operating System Regular Expression

cisco\s(asa|adaptive\ssecurity\sappliance)

Type: Cisco PIX

Operating System Regular Expression

cisco\spix

Type: Cisco Switch

Operating System Regular Expression

(cisco\sswitch)|(cisco\snexus\sswitch)

Type: Cisco Controller

Operating System Regular Expression

cisco\scontroller

This RegEx may need tweaking. I didn't have a great sample size for this OS.

Type: Cisco IP Phone

Operating System Regular Expression

cisco\sip\sphone

This RegEx may need tweaking. I didn't have a great sample size for this OS.

I recently realized that the logic for this tag on line 9 was incorrect and has been updated. If you are using this tag, please verify that the logic for your tag is updated with the right search term on line #9.

Type: Mobile Device

Operating System Regular Expression

apple\sios|.*android.*

Stay tuned on this tagging logic. Regular updates will be made to this tag as I am able to collect more OS information on mobile devices.

This tag is for customers who are in the banking industry who specifically have NCR ATM machines in their environment.

The QIDs being used in this tag requires successful authentication.Without successful authentication, this tag will not work.

A VERY special thank you goes out to a customer, you know who you are, for letting me assist with their specific use case. I will work on creating additional tags for these and other ATM vendors as the opportunities come up.

Type: Print Server

Operating System Regular Expression

.*print\sserver.*

Tags many different types of print servers

Type: Printer

Operating System Regular Expression

.*printer.*

Tags many different types of printers

Type: Server

Operating System Regular Expression

.*Windows (Server|20\d\d).*|Linux|Red Hat Enterprise|Server.*

Tags assets where the operating system was identified as a server of some kind, regardless of "flavor" (Windows or Linux). This also captures print servers as well.

Tags an asset with the name of the authentication record used during the scan. Please note that you will need to do some homework for this tag. The QID's in lines 5-10 are fine but you will need to change line 14 to the correct name used in the results field of QID's (lines 5-10).

Please note: The results field will list the authentication record name but will substitute spaces with underscores "_". Any special characters will be escaped using an underscore "_" as well. For example:

Used to tag assets where the authentication record used is using the public key/certificate as a means to authenticate into the system as apposed to a username/password. The QID being used is the "Unix Authentication Method" which when present, indicates that successful Unix authentication has occurred.

Tags assets where the two critical registry paths are inaccessible via network-based vulnerability scans. The presence of this asset tag indicates that your authentication record used on the target host has insufficient access and needs to be investigated.

This tag identifies assets where the credentials provided for vulnerability scanning, was unable to access the registry path that contains system information related to its hardware. BIOS information, processor information, system manufacturer and model/serial number are just a few things found here. This isn't necessarily critical but depending on your own use cases, this may be important information for you to have.

Identifies assets where the authentication record used does not have the access required to view the installed patches. Since Qualys in unable to check this registry for what patches are installed, it's very likely that some vulnerabilities are not being identified. As a result, vulnerability detections will be impacted!

Like the previous tag, this is one location where Qualys looks for installed software. This registry location is what's used to help populate the "Installed Software" tab for a host within AssetView. If this tag has been applied to a host, the vulnerability detections are likely less than the number of vulnerabilities it actually has. This is because Qualys is unable to view what software is installed as well as what versions the software is running on the target host. Arguably, every application (software) installed on a computer exposes the system to any number of vulnerabilities. If access to this registry location is being blocked, Qualys is unable to detect vulnerabilities these applications expose.

Many important system details reside within the HKEY_LOCAL_MACHINE (HKLM) System location. This asset tag is a generic tag that tags any assets where access to the "HKLM\System" location was denied. Probably one of the most important location within the System location is "CurrentControlSet" (HKLM\System\CurrentControlSet). This is a goldmine of system information! Within "Control", information such as system name, network information, power settings (I found my power button configuration in here), and so on, can be found here. Have a look for yourself!

We have over 69000 assets. I am getting assets that certainly do have operating systems listed, but are showing up in the 'No OS Detected' tag.

I've tested two assets while in the "Tag Edit" window to edit and test the Groovy Script.

Asset 1 has an Operating system, and when tested against the script it shows an X, or false in the "Tag Rule Test Results". This is correct.

Asset 2 does not have an operating system, and it shows a green checkmark/true. This is also correct.

Both are showing up in the 'No OS Detected' list even after re-evaluating the rule. It appears the Groovy Script works fine on a one-on-one evaluation but it appears to break when doing assets in bulk.

For the 'No OS Detected' tag rule, use the following code instead. It's faster and much more reliable in my experience. Also, Groovy interprets empty and null both as false automatically so checking for those two conditions in the code is not necessary: